TheCorporateCounsel.net

Under a new “Item 1C. Cybersecurity” in Part I of Form 10-K, issuers will be required to disclose information regarding the issuer’s cybersecurity risk management, strategy and governance. The required information must be tagged using Inline XBRL.

With respect to risk management and strategy, an issuer must describe the issuer’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing this disclosure, an issuer should address, as applicable, the following non-exclusive list of disclosure items:

– Whether and how any such processes have been integrated into the issuer’s overall risk management system or processes;
– Whether the issuer engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
– Whether the issuer has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

An issuer must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the issuer, including its business strategy, results of operations, or financial condition and, if so, how.
With respect to governance, an issuer must describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the issuer must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.

An issuer must also describe management’s role in assessing and managing the issuer’s material risks from cybersecurity threats. In providing such disclosure, an issuer should address, as applicable, the following non-exclusive list of disclosure items:

– Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
– The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
– Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Relevant expertise of management may include, for example, prior work experience in cybersecurity, any relevant degrees or certifications and any knowledge, skills, or other background in cybersecurity.

In their Form 20-F, foreign private issuers must provide similar disclosures regarding the issuer’s cybersecurity risk management, strategy and governance.

– Dave Lynn